×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Design guides for Ironport Web Security

Unanswered Question
Apr 19th, 2012
User Badges:

Hi All,

I am looking for a proxy solution for our enterprise network, and considering Ironport WebSecurity S370 appliance.

I am just curious if there is any good design guides on how to properly implement Ironport on the network.

I need best practices documents, i.e.  can I place two units with one virtual IP address and so on.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ken Stieers Thu, 04/19/2012 - 09:10
User Badges:
  • Gold, 750 points or more

WSA's don't cluster, with a shared virtual IP, how you handle mulitple WSA boxes is a function of how you're redirecting traffic to them.

     WCCP - you just add them as multiple WCCP destinations

     PAC file - you add seperate entries and the browser/app figures out which one is available.

     Policy Based Routing (eg. no Cisco router) - I'm not sure, as I've never done it.


You might be able to use a load balancer, but my feeling is that gets too complicated.


I used this to set up one box using WCCP

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/H1CY11/SBA_Mid_BN_WebSecurityDeploymentGuide-H1CY11.pdf


There's a caveat when you use WCCP for 2 boxes, you need to tweak the ACL so that you don't get loops:

http://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=1603&p_created=1278697344&p_sid=zzjbITyk&p_accessibility=0&p_redirect=0&p_srch=1&p_lva=772&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MzA4LDMwOCZwX3Byb2RzPTAmcF9jYXRzPTAmcF9wdj0mcF9jdj0mcF9zZWFyY2hfdHlwZT1hbnN3ZXJzLnNlYXJjaF9ubCZwX3BhZ2U9MSZwX3NlYXJjaF90ZXh0PW11bHRpcGxlIFdTQQ!!&p_li=cF91c2VyaWQ9MXJvblAwcnQmcF9wYXNzd2Q9Zm8wQmE1&p_topview=1

Actions

This Discussion